Categories

Koobface Malware Detection

Malware authors are constantly coming up with new ways to compromise web sites. Now malicious hackers have started to focus on the weakest link in the security chain, web sites, breaking in and then using them to distribute dangerous viruses. This spreads malware on PCs which are then used to form bot networks of compromised PCs.

Customer data and the reputation of the web site and the online business is at stake. In this article, we highlight a malware detected way back in 2008 that hackers are still using to infect web sites on Facebook and other social networking portals. We show some samples of the malware which can be used to identify infected websites which are spreading Koobface, and what hosting companies and website owners can do to stop the spread of this malware.

What is Koobface?
Koobface can be classified as a computer worm. This malware targets users of social networks such as Facebook, hence the name Koobface. This piece of malware is extremely prevalent and the details are discussed below. Interestingly, this malware uses a well known mechanism that we have blogged about extensively in the past: stealing FTP credentials for websites, Facebook, and other social networking portals. Users on Mac, Windows and, to an extent, Linux operating systems are affected.

Koobface is Not New
It was detected way back in 2008, with new variations coming in 2009 and later. Once this malware successfully infects a clients machine, it can join a command and control channel or communicate peer-to-peer with other infected PCs or “bots.” This malware hijacks user search results, displays ads for Fake Anti-Virus products, and more.

How it Operates
Koobface sends messages to “friends” of the user whose profile has been compromised. Once the recipient opens the message and clicks on the links, the unsuspecting user is sent to an infected website where they are asked to download malicious software posing as an Adobe Flash player update.

Once the recipient of the message installs the malicious “update,” Koobface can now hijack their search queries, prevent the infected client’s browser from navigating to well known security websites (a DNS filter module is also downloaded), and send them to other infected websites. The unsuspecting user’s PC is now compromised.

Security Implications
The Koobface malware will attempt to steal FTP credentials to your websites and login information for FaceBook and other accounts. As a second step, your websites will be infected with the malware shown below. Finally, the malware installed on your websites will attempt to infect all your visitors, subsequently destroying the reputation of your website, driving away potential customers and lowering revenue.

The malware also posts malicious entries on your Facebook wall, using your profile to spread malware in social networks. This makes you an unwilling party to the infection of your friends and others who click on links in your profile and emails sent from your account.

Signs of Compromise (Server Side)
Infected websites spreading Koobface malware usually have a piece of obfuscated JavaScript code inserted near the HTML HEAD tags used to redirect a visitor to a website which hosts the actual malicious payload. When Koobface infects websites, it creates a random directory on the server with names similar to the following: “police,” or “copper.”

Interestingly, we have found that the string “kroteg” is present on infected sites. This has also been confirmed by other security researchers.

The code in the HEAD section of the web page is similar to the following:

d7h1db='do';d2akka91="cburnkmfji".replace(/[bnrkfji]+/g,"");

A URL to the infected page would look similar to:

http://www.compromisedsite.com/police/?go

An example blacklisted site (Live):

http://www.sfighters.yoyo.pl/freevideo/?go

How to Detect Infection (Client Side)
Several Anti-Viruses attempt to detect this malware at the client side.

Steps to Take
At StopTheHacker, we are tracking our detection of this malware as it affects web sites and servers on the Internet and working to prevent its spread to stop millions of accounts from being compromised.

All website administrators should search for new unrecognized files and directories, new SWF files, and files containing the string “kroteg” on the server.

We Can Help!
If you want to protect your site from infection, or you need additional support, sign up for one of our services. Please contact us with your comments or questions.